OpenVZ Forum

Home » General » Support » NAT question (Problems to apply nat rules to get internet to vps)
NAT question [message #51388] Sun, 04 May 2014 17:15 Go to next message
rubendob is currently offline  rubendob
Messages: 2
Registered: May 2014
Junior Member
From: *

recently I have mounted a new centos 6 with openvz. At the final step, I was tring to give internet to vps with NAT iptables but I got this problem

v1.3.5: can't initialize iptables table `nat': Table does not exist

I have noticed that after install openvz kernel, new file in /etc/modprobe.conf is crated with the next line:

options ip_conntrack ip_conntrack_disable_ve0=1

If I comment the line of the file then I can apply the rule and centos does not complaint like before.

Why this? I doon't understand. Can you give me some information about it?

Re: NAT question [message #51410 is a reply to message #51388] Mon, 12 May 2014 19:10 Go to previous messageGo to next message
kir is currently offline  kir
Messages: 1645
Registered: August 2005
Location: Moscow, Russia
Senior Member

From: *
vzctl prints the following upon adding this line:

============================================================ ================
Due to conntrack impact on venet performance, conntrack need to be disabled
on the host system (it will still work for containers).

Adding the following option to /etc/modprobe.d/openvz.conf

options nf_conntrack ip_conntrack_disable_ve0=1

This change will take effect only after the next reboot.

NOTE: IF YOU NEED conntrack functionality, edit $file NOW,
changing =1 to =0. DO NOT REMOVE the line, or it will be re-added!
============================================================ ================

I think this explains it. Also, make sure you DO NOT COMMENT OUT this line, but change the parameter value to 0, otherwise it might be re-added during vzctl upgrage.

Kir Kolyshkin
Re: NAT question [message #51412 is a reply to message #51410] Fri, 16 May 2014 13:00 Go to previous message
TheStig is currently offline  TheStig
Messages: 93
Registered: December 2008
From: 195.248.51*
is there more information available as to what the performance impact of conntrack on ve0 is and why it was decided now that it will be disabled by default?
Previous Topic: iptables NFQUEUE - dumpcap (wireshark) connection doesn't work
Goto Forum:

Current Time: Tue Feb 19 02:56:03 GMT 2019